×

Quiz Session - Attempts With Random Questions

ISACA CISA Exam Questions

Page 4 of 50

61.

An IT strategy committee advises the board and management regarding IT strategy. What does an IT steering committee do?

  • Ensures the IT department is in harmony with the corporate mission and objectives

  • Focuses on strategic IT issues, both current and future

  • Provides input regarding strategy

  • Prepares the strategy for approval

Correct answer: Ensures the IT department is in harmony with the corporate mission and objectives

An IT steering committee ensures the IT department is in harmony with the corporate mission and objectives. It falls under the responsibility of executive management and acts as a liaison between management and project personnel.

An IT strategy committee advises the board and management regarding IT strategy. Focusing on strategic IT issues, providing input regarding strategy, advising on IT strategy, and preparing the strategy for approval are all functions of the IT strategy committee.

62.

Testing of new software development can be either bottom-up or top-down. With top-down testing, advantages include all the following EXCEPT:

  • Testing can be started before all programs are complete.

  • Major functions are tested early.

  • It's possible to detect errors in interfaces sooner.

  • Confidence increases because testers see a functioning system.

Correct answer: Testing can be started before all programs are complete

Testing can be started before all programs are completed in bottom-up testing, not top-down testing. Bottom-up testing begins by testing smaller units, such as programs and modules, and works up to testing large systems. Usually, large systems are tested with a bottom-up approach.

In top-down testing, major functions are tested early, errors in interfaces can be detected sooner, and confidence is increased because testers see a working system. 

63.

All the following are situations where an encryption key should be rotated, EXCEPT:

  • When an unsuccessful login attempt is recorded

  • When the encryption key has been compromised

  • When the key has expired

  • When a staff member associated with key generation leaves the organization

Correct answer: When an unsuccessful login attempt is recorded

Encryption keys should be rotated at regular events and when certain events occur. Unsuccessful login attempts are not indicative of a key compromise.

Key rotations should occur when the encryption key has been compromised, when the key has expired, and when a staff member associated with key generation leaves the organization.

64.

Which ISACA principle of privacy ensures that personal information is only collected for a specific purpose?

  • Use limitation

  • Choice and consent

  • Individual participation

  • Breach management

Correct answer: Use limitation

An auditor can use privacy principles as a framework when doing a privacy audit. Legitimate purpose specification and use limitation can ensure that collected data is only used for its intended purpose.

Choice and consent refer to the company giving users an option before transferring personal information. Individual participation refers to users being able to access the data that is held. Breach management refers to the company having procedures in place to respond to an incident.

65.

What is the term for permitting users to access only those areas required to perform their duties?

  • Least privilege

  • Top secret

  • Credentialed access

  • Trusted party access

Correct answer: Least privilege

Least privilege involves granting access only to those areas required to perform duties. This access should be granted according to documented need-to-know and need-to-do requirements. Access can be granted for files, tables, or data items. Within those levels, access can include different privileges. For example, access can be read-only or can include the ability to write or update.

66.

Which term describes documents that contain detailed descriptions of the steps required to perform a specific operation?

  • Procedures

  • Policies

  • Standards

  • Regulations

Correct answer: Procedures

Procedures are step-by-step instructions for carrying out tasks. They ensure that tasks are performed consistently even if done by different personnel.

Policies are high-level principles an organization decides on to guide the organization. Standards are codes of practice or specifications recommended by an external authority. Governmental authorities require regulations.

67.

Which dimension of data quality refers to the extent to which information is correct and reliable?

  • Intrinsic

  • Contextual

  • Security

  • Accessibility

Correct answer: Intrinsic

The intrinsic dimension of data quality concerns how data values are in conformance with the actual, true values, such as accuracy, objectivity, believability, and reputation.

If the data is not worthwhile in terms of quality and content, then the point of management is moot. For it to carry the most value, data has to be complete, whole, and accurate. There are three sub-dimensions of quality: intrinsic, contextual, and security/accessibility. Each sub-dimension is divided further as follows:

  • Intrinsic
    • Accuracy
    • Objectivity
    • Believability
    • Reputation
  • Contextual
    • Relevancy
    • Completeness
    • Currency
    • Appropriate amount
    • Concise representation
    • Consistent representation
    • Interpretability
    • Understandability
    • Ease of manipulation
  • Security/Accessibility
    • Availability
    • Restricted access

68.

When an auditor is assessing environmental controls such as fireproof walls, floors, and ceilings, what type of documentation should be acquired?

  • Identification of the fire rating

  • Identification of material composition

  • Evacuation instructions

  • Records of previous incidents

Correct answer: Identification of the fire rating

To audit physical controls, specifically fireproof walls, floors, and ceilings, an IS auditor should have copies of the documentation that details the fire rating of the fireproof materials that surround the information processing center. Ideally, they should have a rating of at least two hours of fire resistance. 

The auditor needs to know the fire rating, not just the material composition of the walls, floors, and ceiling.

69.

When trying to gain a full understanding of a LAN, an IS auditor should identify and document all the following EXCEPT?

  • PPP features that have been implemented

  • Applications used on it

  • Topology and network design

  • Users and groups with privileged access rights

Correct answer: PPP features that have been implemented

The point-to-point protocol (PPP) is used with WANs, not LANs. It is a data-link protocol designed for devices over a serial line.

Some topics an auditor should look at include users and groups with privileged access rights, LAN topology and network designs, LAN administrators, and computer applications running on the LAN.

70.

All the following are potential advantages of outsourcing EXCEPT:

  • Outsourced vendors are always compliant with legal and regulatory requirements.

  • Outsourced vendors can achieve economies of scale.

  • Outlining specifications and coming to contractual agreements with outsourced vendors will probably result in better specifications.

  • Outsourced vendors can devote more time to a particular project than in-house staff.

Correct answer: Outsourced vendors are always compliant with legal and regulatory requirements.

A disadvantage of outsourcing is that vendors are not always compliant with legal and regulatory requirements. The contract needs to contain provisions requiring that the vendor complies with all the relevant legal and regulatory requirements. Contracts should also establish ownership of intellectual property and have provisions for protecting intellectual property rights. Contracts should specify that the vendor complies with legislation.

The advantages of outsourcing include focusing on core activities, profit margins, cost savings, faster time-to-market, and flexibility.

71.

All the following are factors that affect an audit, EXCEPT:

  • Hiring a new staff member

  • Changing market conditions

  • A merger or acquisition

  • New regulatory requirements

Correct answer: Hiring a new staff member

Events that result in new business processes or changes to business processes often affect security controls. These changes could require a new audit. However, hiring new staff members should not change business processes.

Changing market conditions could affect supply chains, thereby affecting an audit. Mergers and acquisitions combine two organizations and involve intensive changes to processes. New regulatory requirements, such as GLBA, can affect audits.

72.

An IS auditor is going to review an organization's information security policy. Which standard can they refer to as a benchmark during this process?

  • ISO/IEC 27001

  • COBIT

  • ITIL

  • ISO 3100

Correct answer: ISO/IEC 27001

The ISO/IEC 27002 standard is for information security management systems. It is a framework to identify, assess, and manage information security risks.

COBIT is a framework to ensure alignment between IT and business goals. ITIL is used for successful operational service management. IS 3100 is used for risk management.

73.

An auditor has been asked to perform attribute sampling and should achieve a low precision percentage. What can they do to achieve this?

  • Use a high sample size

  • Aim for a low accuracy number

  • Reduce the tolerable error rate

  • Set the confidence coefficient to 90%

Correct answer: Use a high sample size

Precision is how closely a sample represents a population. A low precision amount or percentage equates to high accuracy and is achieved by using a larger sample size rather than a smaller sample size.

A low-accuracy number means a high precision percentage. The tolerable error rate is the highest number of errors there can be without a result being materially misstated. A confidence coefficient of 90% is not a high degree of comfort.

74.

Which of the following is NOT a basic step for managing and administering audit projects?

  • Monitor management response

  • Plan the audit engagement

  • Execute the plan

  • Build the audit plan

Correct answer: Monitor management response

The following are basic steps for managing and administering audit projects:

  • Plan the audit engagement
  • Build the audit plan
  • Execute the plan
  • Monitor project activity

Monitoring management response is not a basic step in managing and administering audit projects.

75.

What is the primary objective of capacity management?

  • To ensure available resources are used efficiently and effectively

  • To ensure resources are available for up to 50% growth

  • To ensure there are adequate resources to duplicate current processing in case of a disaster

  • To ensure resource usage is consistently around 100%

Correct answer: To ensure available resources are used efficiently and effectively

Capacity management's objective is to ensure that available resources are used efficiently and effectively. Resource usage should be around 85% to 95%. Utilization at 100% indicates that there is not enough capacity. The cost of new capacity should be deferred to a later date whenever possible.

Capacity management does not have to plan for 50% growth, plan for disasters, or keep usage at 100%.

76.

What is the objective of using a Six Sigma approach?

  • To improve processes and reduce the number of defects

  • To require users to use multiple types of authentication before accessing resources

  • To make assumptions about a population based on a variable sample

  • To split knowledge of a task between two or more persons for redundancy

Correct answer: To improve processes and reduce the number of defects

Six Sigma is a process improvement system that was developed by Motorola in 1986. In Six Sigma, a defect is anything outside customer specifications. Six Sigma’s emphasis is on standardizing processes as a means of process improvement and defect reduction. Every Six Sigma project has a quantified value, such as increasing customer satisfaction.

Multi-factor authentication is the use of various authentication types before a resource can be accessed. Variable sampling is using samples to make assumptions about a population. Split custody involves splitting knowledge of a task between two or more people. 

77.

What does ISACA's privacy principle of individual participation outline?

  • Giving users access to their personal information

  • Ensuring users have consent prior to transferring personal information

  • Removing personal information when it is no longer needed

  • Verifying that information is accurate, complete, and up to date

Correct answer: Giving users access to their personal information

ISACA describes principles for privacy that can be used as a framework for auditing privacy. The principle of individual participation refers to giving users access to their personal information. 

Ensuring users have consent prior to transferring personal information is the principle of choice and consent. Removing personal information when it is no longer needed is the principle of use limitation. Verifying that information is accurate, complete, and up to date is the principle of accuracy and quality.

78.

Which statement accurately describes the difference between quality assurance and quality control?

  • Quality assurance is the planned and systematic pattern of actions needed to prevent defects, while quality control is the inspection of a finished product to verify it meets expectations.

  • Quality assurance is the process of diagnosing an event to find its cause, while quality control is the planned and systematic pattern of actions needed to prevent defects.

  • Quality assurance is the process of comparing a product against competitors, while quality control is measuring the success of an organization in meeting its goals.

  • Quality assurance is the inspection of a finished product to verify it meets expectations, while quality control is the process of comparing a product against competitors.

Correct answer: Quality assurance is the planned and systematic pattern of actions needed to prevent defects, while quality control is the inspection of a finished product to verify it meets expectations.

Quality assurance and quality control are two distinct tasks. Quality assurance occurs while the product or service is in development and is a set of actions to ensure quality, while quality control happens after and is used to test finished products to see whether they meet expectations.

The process of diagnosing an event to find its cause is root cause analysis. The process of comparing a product against competitors is benchmarking. Measuring the success of an organization in meeting its goals is KPI.

79.

The equal error rate is a metric used in which area?

  • Biometrics

  • Password-generation software

  • Multifactor authentication systems

  • Logon ID maintenance

Correct answer: Biometrics

The equal error rate is used in determining the performance of biometric control devices. The accuracy of biometric devices needs to be determined. The false rejection rate tracks the number of times an individual is falsely rejected by a biometric system. The failure to enroll rate tracks the number of people who fail to be enrolled successfully. The false acceptance rate is the number of times a person is falsely accepted by the system. 

A biometric system can be adjusted to lower either the false rejection rate or the false acceptance rate; however, usually when one decreases, the other increases. The overall measurement of the two error types is the equal error rate. The lower the equal error rate is, the more effective the biometric measurement will be.

80.

There are three types of project organizational structures. Which of the following is NOT a project management organizational structure?

  • Control-structured organization

  • Functional-structured organization

  • Project-structured organization

  • Matrix-structured organization

Correct answer: Control-structured organization

Control-structured organization is not a recognized project organizational form. 

In a functional-structured organization, the project manager advises team members but doesn't have formal managerial authority. In a project-structured organization, the project manager has formal authority over the team members of the project. In a matrix-structured organization, the management authority is shared between the project manager and the heads of various departments. 

×